Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
office-quotes
v1.2.3Generate random quotes from The Office (US). Provides access to 326 offline quotes plus online mode with SVG cards, character avatars, and full episode metadata via the akashrajpurohit API. Use for fun, icebreakers, or any task requiring The Office quotes.
⭐ 0· 2.4k·7 current·7 all-time
byGustavo Madeira Santana@gumadeiras
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The package exposes an office-quotes CLI, provides offline quotes and an API mode that fetches SVG or JSON from the akashrajpurohit API — this matches the name/description and declared binary. Included Python scripts implement alternative SVG→PNG conversion which is coherent with the claimed image output capabilities.
Instruction Scope
Runtime code reads/writes temporary files (/tmp), fetches remote resources from https://officeapi.akashrajpurohit.com, and (optionally) launches Playwright/Chromium to render SVG→PNG. The SKILL.md omits mention that Playwright and its browser runtime may be required and that rendering can trigger additional network requests for embedded assets in the SVG (e.g., avatars). These behaviors are related to the feature set but have privacy/resource implications that users should be aware of.
Install Mechanism
Install uses a standard npm package (office-quotes-cli) which is an expected delivery mechanism. However, the runtime requires Playwright (and its browser binaries) for some conversions — Playwright may need separate install steps (and will download Chromium), which is not documented in SKILL.md. There are no downloads from obscure/personal URLs in the provided files.
Credentials
No environment variables, credentials, or external config paths are requested. The code uses the filesystem for temporary output and only network access to the stated API host; requested access appears proportionate to the skill's purpose.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and does not declare persistent privileges. It runs as an invoked CLI and writes only temporary files as part of its operation.
Assessment
This skill appears to do what it claims (produce quotes and images). Before installing, consider: 1) It can call a third-party API (officeapi.akashrajpurohit.com) — don't use it if you need strictly offline operation; use the local mode instead. 2) Converting SVG→PNG may launch Playwright/Chromium and/or download browser binaries (resource and network activity) — the SKILL.md doesn't document that extra step. 3) The Python helpers fetch arbitrary SVG URLs (they will make network requests to whatever URL you pass). 4) If you want extra assurance, review the npm package on the public registry and the referenced GitHub repo (github.com/gumadeiras/office-quotes-cli) and inspect the package.json/dependencies for unexpected telemetry or leftover tooling. If you have strict network or resource policies, run in local/offline mode or audit the package and its dependencies first.Like a lobster shell, security has layers — review code before you run it.
latestvk97arw7tgyya3rpyrngb284xp57zyd78
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsoffice-quotes
Install
Install office-quotes CLI (npm)
Bins: office-quotes
npm i -g office-quotes-cli